Navigation

An Intrusion Detection System (IDS) allows you to detect suspicious
activities happening on your network as a result of a past or active
attack. Because of its programming capabilities, Bro can easily be
configured to behave like traditional IDSs and detect common attacks
with well known patterns, or you can create your own scripts to detect
conditions specific to your particular case.

In the following sections, we present a few examples of common uses of
Bro as an IDS.

For the purpose of this exercise, we define FTP brute-forcing as too many
rejected usernames and passwords occurring from a single address. We
start by defining a threshold for the number of attempts, a monitoring
interval (in minutes), and a new notice type.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

detect-bruteforcing.bromoduleFTP;export{redefenumNotice::Type+={## Indicates a host bruteforcing FTP logins by watching for too## many rejected usernames or failed passwords.Bruteforcing};## How many rejected usernames or passwords are required before being## considered to be bruteforcing.constbruteforce_threshold:double=20&redef;## The time period in which the threshold needs to be crossed before## being reset.constbruteforce_measurement_interval=15mins&redef;}

Using the ftp_reply event, we check for error codes from the 500
series
for the “USER” and “PASS” commands, representing rejected usernames or
passwords. For this, we can use the FTP::parse_ftp_reply_code
function to break down the reply code and check if the first digit is a
“5” or not. If true, we then use the Summary Statistics Framework to keep track of the number of failed attempts.

detect-bruteforcing.bro##! FTP brute-forcing detector, triggering when too many rejected usernames or##! failed passwords have occurred from a single address.@load base/protocols/ftp@load base/frameworks/sumstats@load base/utils/timemoduleFTP;export{redefenumNotice::Type+={## Indicates a host bruteforcing FTP logins by watching for too## many rejected usernames or failed passwords.Bruteforcing};## How many rejected usernames or passwords are required before being## considered to be bruteforcing.constbruteforce_threshold:double=20&redef;## The time period in which the threshold needs to be crossed before## being reset.constbruteforce_measurement_interval=15mins&redef;}eventbro_init(){localr1:SumStats::Reducer=[$stream="ftp.failed_auth",$apply=set(SumStats::UNIQUE),$unique_max=double_to_count(bruteforce_threshold+2)];SumStats::create([$name="ftp-detect-bruteforcing",$epoch=bruteforce_measurement_interval,$reducers=set(r1),$threshold_val(key:SumStats::Key,result:SumStats::Result)={returnresult["ftp.failed_auth"]$num+0.0;},$threshold=bruteforce_threshold,$threshold_crossed(key:SumStats::Key,result:SumStats::Result)={localr=result["ftp.failed_auth"];localdur=duration_to_mins_secs(r$end-r$begin);localplural=r$unique>1?"s":"";localmessage=fmt("%s had %d failed logins on %d FTP server%s in %s",key$host,r$num,r$unique,plural,dur);NOTICE([$note=FTP::Bruteforcing,$src=key$host,$msg=message,$identifier=cat(key$host)]);}]);}eventftp_reply(c:connection,code:count,msg:string,cont_resp:bool){localcmd=c$ftp$cmdarg$cmd;if(cmd=="USER"||cmd=="PASS"){if(FTP::parse_ftp_reply_code(code)$x==5)SumStats::observe("ftp.failed_auth",[$host=c$id$orig_h],[$str=cat(c$id$resp_h)]);}}

Files transmitted on your network could either be completely harmless or
contain viruses and other threats. One possible action against this
threat is to compute the hashes of the files and compare them against a
list of known malware hashes. Bro simplifies this task by offering a
detect-MHR.bro
script that creates and compares hashes against the Malware Hash
Registry maintained by Team
Cymru. Use this feature by loading this script during startup.